When speaking about cyber security, we have to “change the narrative to talk about harm reduction rather than vulnerability reduction.” That’s the view of Dr. Ian Levy, technical director of the UK’s recently launched National Cyber Security Centre.

Speaking yesterday at Microsoft’s Future Decoded event in London, Levy tackled what he sees as major flaws in the cyber security sector, comparing the current industry to “medieval witchcraft” where hackers are depicted as “winged ninja cyber-monkeys.”

Levy’s view is that the modern illustration of hackers wearing hoodies and working in darkened rooms is all about generating a fear response from consumers. “As we become more and more dependent on technology, as we become more and more dependent on machines making decisions for us, we have to change this narrative,” he said.

“A lot of the attacks that we see on the internet today are not purported by winged ninja cyber-monkeys. Attackers have to obey the laws of physics; they can’t do things that are physically impossible. So let’s talk about how they actually do stuff, let’s change the narrative so people can make rational risk-management decisions by giving them high quality information.”

And the same is true for the security advice that is issued to the public, such as being told not to open an email attachment unless you trust the source and having different, complex passwords for every service you use. According to Levy, this advice is just trying to get users to compensate for poor system design. “If we’re trying to secure the UK, if we’re trying to make the UK a better and safer place, this kind of advice has to go. We have to make it much more user-centric and stop blaming the user. This is how cyber security runs today: it all runs on fear. Nowhere else in public policy do you allow fear to rule the public’s perception of something.”

So, how do we change the narrative? Well, the government’s new cyber security strategy – launched yesterday – is the starting point, setting out “what we are going to do as a government over the next 5 years to fundamentally change the return on investment of attacking the UK.” But the most important factor is transparency, i.e. letting the public know exactly what their money is being spent on. “Transparency in cyber security is unheard of as far as I can tell,” Levy said. “Only through transparency do you build trust and only through trust can you build technologies that people want to use.

“I want to get to a point where we have data, we have metrics and we can start to explain to the public how we are defending the UK.” It’s certainly a nice idea and the ball is well and truly in the government’s court to make it happen.